feat: increase system security

2025-12-06 17:17:22 +01:00 · 2024-08-10 16:45:55 +02:00 · 2024-08-10 16:45:55 +02:00 · bbaee7acd8
commit bbaee7acd8
parent 5bb6e6038e
4 changed files with 53 additions and 7 deletions
--- a/profiles/common/nixos/default.nix
+++ b/profiles/common/nixos/default.nix
@ -1,4 +1,4 @@
-{ lib, ... }:
+{ lib, inputs, ... }:
 {
  imports = [
    ./xserver.nix
@ -12,12 +12,14 @@
    ./network.nix
    ./time.nix
    ./hardware.nix
+    ./pipewire.nix
    ./sops.nix
    ./packages.nix
    ./programs.nix
    ./zsh.nix
    ./syncthing.nix
    ./blueman.nix
+    ./safeeyes.nix
    ./networkdevices.nix
    ./gvfs.nix
    ./interceptiontools.nix
@ -26,11 +28,32 @@
    ./stylix.nix
    ./power-profiles-daemon.nix
    # ./impermanence.nix
+    ./nvd-rebuild.nix
    ./nix-ld.nix
    ./gnome-keyring.nix
+    ./sway.nix
+    ./xdg-portal.nix
  ];

-  nix.settings.trusted-users = [ "swarsel" ];
+  nix =
+    let
+      flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
+    in
+    {
+      settings = {
+        experimental-features = [
+          "nix-command"
+          "flakes"
+          "ca-derivations"
+        ];
+        trusted-users = [ "swarsel" ];
+        flake-registry = "";
+        warn-dirty = false;
+      };
+      channel.enable = false;
+      registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
+      nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+    };

  home-manager = {
    useGlobalPkgs = true;